isolate iframe viewing of files is broken due to Content Security Policy directive |
||||
Issue descriptionChrome Version: (copy from chrome://version) OS: (e.g. Win7, OSX 10.9.5, etc...) What steps will reproduce the problem? (1) Use the browse UI to view a file (like https://isolateserver.appspot.com/browse?namespace=default-gzip&digest=2ae23beb47393eccf58a63db5eac8edbeef05a7d). What is the expected result? Expect to see the output inside the iframe. What happens instead? Actually see nothing. If you open the console, you see the following error; ---- Refused to frame 'https://isolateserver.appspot.com/content?namespace=default-gzip&digest=2ae23beb47393eccf58a63db5eac8edbeef05a7d' because it violates the following Content Security Policy directive: "child-src https://accounts.google.com". ----
,
Feb 8 2017
,
Feb 8 2017
- Breakage happened in ce89e405 - Yesterday I pushed 2613-75778df to isolateserver.appspot.com, which contained the breaking commit. - Previous version was 2472-3e0549e - In the meantime, I reverted isolateserver.appspot.com to unblock users - I asked jonesmi@ to fix it as he wants to ramp up and it is a relatively simple change. - Sorry for the inconvenience - Breakage happened in ce89e405 - Yesterday I pushed 2613-75778df to isolateserver.appspot.com, which contained the breaking commit. - Previous version was 2472-3e0549e - In the meantime, I reverted isolateserver.appspot.com to unblock users - I asked jonesmi@ to fix it as he wants to ramp up and it is a relatively simple change. - Monorail won't allow me to assign this issue to him :/ - Sorry for the inconvenience
,
Feb 8 2017
Adding 'self' here should be good enough: https://github.com/luci/luci-py/blob/master/appengine/components/components/auth/handler.py#L377 Should I make this change or wait for jonesmi@ to do it?
,
Feb 9 2017
The following revision refers to this bug: https://chromium.googlesource.com/external/github.com/luci/luci-py.git/+/1572861aa9c53a547b8372602c58abd49aa62352 commit 1572861aa9c53a547b8372602c58abd49aa62352 Author: jonesmi <jonesmi@google.com> Date: Thu Feb 09 21:52:26 2017 Fix iframe security policy directives for viewing isolate content - include 'self' in child-src csp for isolate BrowserHandler - whitelist google-analytics for img-src in component/auth BUG= 689723 Review-Url: https://codereview.chromium.org/2681293003 [modify] https://crrev.com/1572861aa9c53a547b8372602c58abd49aa62352/appengine/components/components/auth/handler.py [modify] https://crrev.com/1572861aa9c53a547b8372602c58abd49aa62352/appengine/isolate/handlers_frontend.py
,
Feb 9 2017
The following revision refers to this bug: https://chromium.googlesource.com/external/github.com/luci/luci-py.git/+/1572861aa9c53a547b8372602c58abd49aa62352 commit 1572861aa9c53a547b8372602c58abd49aa62352 Author: jonesmi <jonesmi@google.com> Date: Thu Feb 09 21:52:26 2017 Fix iframe security policy directives for viewing isolate content - include 'self' in child-src csp for isolate BrowserHandler - whitelist google-analytics for img-src in component/auth BUG= 689723 Review-Url: https://codereview.chromium.org/2681293003 [modify] https://crrev.com/1572861aa9c53a547b8372602c58abd49aa62352/appengine/components/components/auth/handler.py [modify] https://crrev.com/1572861aa9c53a547b8372602c58abd49aa62352/appengine/isolate/handlers_frontend.py
,
Feb 9 2017
|
||||
►
Sign in to add a comment |
||||
Comment 1 by jbudorick@chromium.org
, Feb 8 2017Labels: -Pri-3 Pri-2